There was mention recently on SecuriTeam about the lack of effectiveness of web application scanners. While they are effective for identifying the low-hanging fruit, I agree that as applications have advanced web application scanners have not kept up.
Web application scanners are now so bad that I won’t even use them if they’re free. At this point, I am officially divorced from automated application scanners. What I’ve been using, primarily, is Proxies and Firefox browser plugins. –Dmitry
Although I have not stopped using them completely (they’ll pick up the easily identifiable XSS and SQL injection), their effectiveness is definitely limited. So without further ado, let me drop a list I came up with in the past five minutes of;
What a web application scanner won’t find!
- Malicious file uploads via standard file upload functionality - Malicious ASP or PHP file
- Blind SQL injection that relies on other stateful variables (revision app that increments a number on the page on the server-side)
- Authorization problems - This user _SHOULD NOT_ be able to access this customer record
- Advanced forms of cross-site scripting - Special encoding - Attacks that require heavy manipulation for JS execution
- Broken Authentication - Similar to authorization, it is difficult for a web application to tell whether a real user really needs access
- Poor Encryption Mechanisms - One of the huge downfalls to any application is custom “encryption” that is poorly designed. Webapp Scanners won’t catch this
- Parameter Manipulation - Oh, you meant $500 instead of $0.05?! No way an app scanner can catch this
So there you go, just a few of the things that your $20,000 web app scanner won’t be able to catch. There are more, but that was the list that came immediately to mind.
p.s. On a side note, OWASP (the Open Web Application Security Project) recently launched a new initiative called the OWASP Spring of Code 2007 (SpoC 007) which will sponsor (Open Source) Web Application Security projects with (at least) $110,000 USD. Here’s your chance to make the tools better!